Though scrutiny has intensified over Facebook’s handling of the data breach, the whole debacle could be just a one-off, according to Brent Thill, a Jefferies analyst.

Cambridge was a bad actor from the start and the social media company has shown it has taken proactive measures to ask that the data be deleted (even though that didn’t happen), and has changed its app developer policies to include a thorough review of which data an app requests and uses. There will not be another Cambridge Analytica scandal, Thill said.

“We see headlines from data breaches & Zuckerberg’s announced changes to the timeline as near term headwinds to investor sentiment, but do not believe it will have a material impact on top line growth,” he said.

Thill’s price target was $230 per share, and he maintained his “Buy” position.

Instead, he he has turned his attention to the “next overhang,” which is the European Union’s General Data Protection Regulation (GDPR) law, set to go into effect on May 25. The privacy policy will force websites and platforms to be fully transparent with users on how they use their data and how it is being collected. It requires explicit opt-ins for the usage of sensitive personal information, such as ethnicity, beliefs, sexual orientation, and like information.

European lawmakers have been more heavy-handed with their privacy requirements from tech companies. UK parliamentarians were one of the first to summon Facebook’s senior executives to account for their handling and use of users’ data on their platform.

Facebook is also complying with another ePrivacy law, which runs in conjunction with the GDPR. The social media platform has had to re-register consent from all of its existing European users, as well as through each separate app used by its ad-generating network, the Audience Network and Custom Audiences, which puts ads on website and apps outside of Facebook.

The law could potentially hurt Facebook’s ad revenues because it requires the social media company to have a “fully documented permission trail” of existing data or else the data becomes obsolete. If the user chooses to opt-out of marketing campaigns, their personal data will be entirely erased and can never be used again, Goldman Sachs Analyst Lisa Yang and her team warns.

“Facebook and Google will either be (a) prohibited from using the unprecedented amounts of data already in their control; or (b) subject to fines and penalties that will, for the first time in history, have a significant impact on their bottom lines,” according to the trade organization, Digital Content Next.

A Facebook critic said the company was fortunate that the Cambridge Analytica incident did not occur after the GDPR went into effect, implying the company would have suffered harsh fines. It “would have cost Facebook 4 percent of their global revenue,” Austrian privacy campaigner Max Schrems told Reuters.

Facebook’s stock was down 2.65% Wednesday, after two consecutive days of losses. It was down 8.8% for the year.